WMCODEC_UPDATE.EXEMalware Dropper

Your PC may be infected. The presence of a file called WMCODEC_UPDATE.EXE is a possible sign of infection.

You should urgently check your PC to make sure it is not infected. The free version of Prevx CSI will scan your PC in less than two minutes and check for millions of spyware and malware infections including WMCODEC_UPDATE.EXE. Don't put your confidential data, or your identity at risk, check your PC now with Prevx CSI.

Download Prevx CSI now »

Associated Malware Groups

The unsafe files using this name are associated with the malware groups:

Malware Dropper
Cloaked Malware
Malicious Software

File Behavior

WMCODEC_UPDATE.EXE has been seen to perform the following behavior:

Enables an In Process Object/Server - Common with DLL Injections
Creation and Registration of a Browser Helper Object in Internet Explorer
Adds Products to the system registry
This Process Creates Other Processes On Disk
Can communicate with other computer systems using HTTP protocols
This Process Deletes Other Processes From Disk
Executes a Process
Creates system tray popups, messages, errors and security warnings
Writes to another Process's Virtual Memory (Process Hijacking)
The Process is packed and/or encrypted using a software packing process

WMCODEC_UPDATE.EXE has been the subject of the following behavior:

Deleted as a process from disk
Created as a process on disk
Executed as a Process
Has code inserted into its Virtual Memory space by other programs
Added as a Registry auto start to load Program on Boot up
Terminated as a Process

Country Of Origin

The filename WMCODEC_UPDATE.EXE was first seen on Jul 22 2008 in the following geographical regions of the Prevx community:

The UNITED STATES on Jul 22 2008
CANADA on Jul 22 2008
The UNITED KINGDOM on Jul 23 2008
GERMANY on Aug 2 2008
SPAIN on Aug 2 2008

File Name Aliases

WMCODEC_UPDATE.EXE can also use the following file names:

UESIUQCR.EXE
2EXUHJPZ.EXE.PART
73003223.EXE
OPR0IWY9.EXE
27096406.EXE
AR44SESG.EXE
BSC6LOMM.EXE
42561946.EXE
34429113.EXE
62876757.EXE
REGION HACK D4734S.EXE
LCG JUKEBOX 2 30 SERIAL.EXE
MFU319A1.EXE
32005837.EXE
88485242.EXE
MPI8VFOR.EXE.PART
58911996.EXE
ADOBE FLASH V10.EXE
��
LPHC18NJ0E9AN.EXE
WNX4EEHU.EXE
0GSTK9IZ.EXE
AUMI1XHZ.EXE
IZH9S4RF.EXE
ZLOB/WMCODEC_UPDATE.EXE
36147058.DAT
22289665.EXE
54038547.EXE
83478005.EXE
LPHCAU3J0ERB3.EXE
59064319.SVD
RBQ65L7L.EXE
0C9W4J63.EXE
47037563.EXE
49431563.EXE
LJRZBBO.TMP

Filesizes

The following file size has been seen:

89,614 bytes
266,877 bytes
407,033 bytes
266,870 bytes
40,972 bytes
275,055 bytes
9,728 bytes
257,365 bytes

Vendor, Product and Version Information

Files with the name WMCODEC_UPDATE.EXE have been seen to have the following Vendor, Product and Version Information in the file header:

Microsoft Corporation; ; 1.00.0310
; Nccoouhu Application; 2, 8, 1, 1

File Type

The filename WMCODEC_UPDATE.EXE refers to many versions of an executable program.

File Activity

One or more files with the name WMCODEC_UPDATE.EXE creates, deletes, copies or moves the following files and folders:

create folder C:\Program Files\RichVideoCodec
Deletes c:\docume~1\user\locals~1\temp\nsqB.tmp
Creates c:\windows\system32\RichVideoCodec.dll
Creates c:\program files\richvideocodec\escan.exe
Creates c:\program files\richvideocodec\InstallRegerLib.dll
Deletes c:\docume~1\user\locals~1\temp\nsa11.tmp
Creates c:\docume~1\user\locals~1\temp\nsa11.tmp\System.dll
Opens/modifes c:\autoexec.bat
Deletes c:\program files\richvideocodec\InstallRegerLib.dll

Registry Activity

One or more files with the name WMCODEC_UPDATE.EXE creates or modifies the following registry keys and values:

HKEY_CURRENT_USER\Software\RichVideoCodec v0 C:\Program Files\RichVideoCodec
HKEY_CURRENT_USER\Software\RichVideoCodec v1 http://codecservice1.com/service/index.php;http://codecservice2.com/service/index.php
HKEY_CURRENT_USER\Software\RichVideoCodec v2 169
HKEY_CURRENT_USER\Software\RichVideoCodec v3 0
HKEY_CURRENT_USER\Software\RichVideoCodec v4 http://www.yourfavoritetube.com
HKEY_CURRENT_USER\Software\RichVideoCodec v1
HKEY_CURRENT_USER\Software\RichVideoCodec v2 8ݻ
HKEY_CURRENT_USER\Software\RichVideoCodec v3 9
HKEY_CURRENT_USER\Software\RichVideoCodec v4 aŸ�Q$5+•_CHAR(0x12)_fI��p�X�R}˜šg�b‘�&x[S
HKEY_CURRENT_USER\Software\RichVideoCodec v8 9
HKEY_CURRENT_USER\Software\RichVideoCodec v5
HKEY_CURRENT_USER\Software\RichVideoCodec v6 l™�Nl
HKEY_CURRENT_USER\Software\RichVideoCodec v11 8ٳ_CHAR(0x16)_*.5�P

Website Activity

One or more files with the name WMCODEC_UPDATE.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.

TCP:127.0.0.1:1098 Port:19
Port 80 IP:85.255.117.218

Virus, Spyware & Malware Center »